every website you visit in a scripting-enabled browser knows everything you're doing
>test Maclmao
>>109006128Doesn't sound plausible as there's no such API
I keep my browser's profile in ram. Have zero disk writes or reads.
>>109006144
>>109006128tl;dr only safe way is to use Linux and Firefox (or forks) or LadyBird. MACOS, WINDOWS AND CHROMIUM BASED ARE DANGEROUS AND ONLY AFFECTED. Apple, Microsoft and Google/Brave will not fix this and don't care about user security/privacy or laws of the country you live in.>(ungoogled-)chromium/Brave/all fork developers stated that fingerprinting attacks are not considered security vulnerabilities and they don't care about this at all>Apple classified the issue as "currently out of scope" and doesn't care about user security at all>Mozilla (Firefox) and all forks + LadyBird: Acknowledged the findings as "high level risk" and will immediately implement protections for user safety>Linux (slower attack speed, more effort to bypass limits, smaller OPFS files (10 GB vs 60% of disk))>Firefox/LadyBird (stricter OPFS limits, slower data exfiltration (661 bit/s vs 892 bit/s), more privacy-focused)>in Linux users can use profile-sync-daemon (PSD), which moves browser profiles to tmpfs (RAM), preventing SSD access entirely
>>109006128>>109006135>>109006144Im only going to host this temporarily, so download my html proof of concept while you can:http://7bjerstmtoxmbtynslafwc52o4bijlx6pb6calxrx53sl3oofz5r6dad.onion/
>>109006128If you run untrusted code on your computer, you may be pwned by anyone with enough skill to figure out how.All the browser "sandboxing" is security theater and the only way to make the web secure is by nuking Javascript from orbit (and also some of the more advanced CSS features need to go as well).If you do that you'll make the web effectively unusable.
>>109006283Someone downloaded it, i think. Anyways going to make bfast now, so no more hosting. Pic rel, a single html page can monitor your SSD read write speeds periodically using OPFS. From there you would need to fingerprint various apps running on various systems, then compare users OPFS fingerprints to datasample.
>>109006128>including 4chanGoogle web everyoneAll websites require this shit by the way
>>109006128That is an interesting way to break user's privacy, but not a terrible one.Basically if moot added this exploit to 4chan, he'd be able to know which users are opening youtube, instagram, gmail and other sites the AI analyzer tool has been trained already on, being able to fingerprint what sites you open based on their loading times, not really which urls you access.However if you visit feetfreaks dot waifu or something of that sorts, and the AI tool was trained on analyzing that site's load timing, now moot would know ur a dirty freak
>>109006377>Pic rel, a single html page can monitor your SSD read write speeds periodically using OPFS. From there you would need to fingerprint various apps running on various systems, then compare users OPFS fingerprints to datasample.whats the gain here knowing which application the user is running? He has super coomer 5000 running wow how does that help. Most people will just have a random pdf open or music playing.
>>109006457Datamining and/or recon. Datamining you sell and make money via ads or otherwise (data brokers). Either directly or through a financial transaction, malicious users can do the same thing adverts do, but instead of giving you ads to take your money, they give you targeted malware to take your money. ads and social engineering for malicious gain is very closely related. A thin interpretational line. Oh and I guess glowniggers can subvert one from saving the white race or stopping da jooos, too.
>>109006518This is why you do spycraft with a 6502 microprocessor.
>>109006128>researchers say>researchers claimhmm okay
>>109006128>the website you're visiting knows which website you're visiting
>>109006128I don’t fucking care. They’re going to do whatever they want to do to me and I can’t stop them.
>>109006277or just use noscript instead
>>109006128And what happens when you open a second tab?Now the data is destroyed because the cpu load is completely random spread between multitasking.Like this is the most retarded thing, pwease close your 360 other tabs so we can twack you
>>109006908I believe the FROST attack, makes a file too big for your RAM so your system trys to stick it on your SSD. This process uses the SSD's controller. When the controller is in higher vs lower use, it read/writes at different speeds. The attack here randomly reads back small bytes from its file write, this provides a random sample of the SSD use. Think like painting a piece of paper one known color to make a background so everything else stands out. The read speed change of the random bytes reflects usage of the SSD controller, outside the attackers OPFS file. What I guess they figured out, was these usage timing changes are consistent with specific apps or websites also being run and competing for use of the SSD controller. By fingerprinting the dips and spikes in performance they can map that to specific apps or websites.
>>109006128>test macthe absolute state of ijeets. in shambles.>>109006144dumbfucks allowing javasirscript to run at all makes a lot of fucking trash possible, especially on poorly designed computers running poorly designed operating systems by retards at apple
apps?
Pale Meme wins again (doesn't support OPFS)
>>109007020If all you're seeing is performance dips and spikes, though, then how does that work out when you've got a bunch of shit running and you don't know which program is behind which change in performance.>makes a file too big for your RAMSounds like a site utilizing this would by itself cause noticeable performance issues, to the point that people would avoid it. It'd be discovered in no time.
could one theoretically make a site that just hammers up to 60% of your ssd with noise and wipes it repeatedly? just as a fuck you?
>>109006844please don't talk with your mouth full
>>109007087i think im stupid
>>109007104Don't be a rooster pop.
>>109007069> If all you're seeing is performance dips and spikes, though, then how does that work out when you've got a bunch of shit running and you don't know which program is behind which change in performanceStatistics. If you got shit running, its not high entropy (random) meaning all that shit can be fingerprinted and matched. Its also why it uses confidencey ratings, usually 80%+ as its likely like you said unknown (not fingerprinted yet) processes inferring, however they can infer what they have identified or know. > Sounds like a site utilizing this would by itself cause noticeable performance issues, to the point that people would avoid it. It'd be discovered in no time.It sounds like literally many normie websites and apps do this though, just the question is about them using the FROST technique to analyze the feedback. Otherwise its a normal and common function you experience everyday using a computer to access websites, else the attack itself would not work. Anysite that writes to your system, does so to read it back and see the time it took. Thats all they are doing, but they are doing so randomly as to sample your performance then mapping that to other processes.
>>109007104cock sucker, i'm implying that you've given up and are sucking their cocks
>>109007080You might be able to add some process monitor that detects when single sources do random reads, then throttle them randomly skew their metrics? Since the attack itself relies on the assumption most programs are not randomly using the SSD controller, high entropy read requests should stand out. Especially if being done at not human speeds.
Holy hell. Got claude to finally give me a better working proof. Ofcourse, it fails and forces you to debug till the very last token, then when your sucked dry that last one works. Very interesting, but unrelated....Pic rel view of live read/write measurements. When i moved my mouse or brought other apps in focus it caused noticable spikes. This PoC you can export everything it captures as a csv, which im sure you can script some python scripts to analyze it and create unique finger prints like hashing.Save these exactly as i mentioned them below in the same directory. Can be served on any device on your LAN, including your phone, then access it in browser from any device you want to test. This demo does it all locally, but a website would do something like this, only send the data back to themselves inside of performing it all client-side.Html file (save as frost-demo.html)https://files.catbox.moe/crosvv.htmlPython server (save as serve.py)https://files.catbox.moe/pznqwc.pyRun with:python serve.py
>>109007167Wouldnt you also have to allow a site to store data on your machine?This sounds a lot like when they said they could get your encryption key from listening to the sounds your cpu makes when you decrypt something. Like sure technically, but also no not really. The fact they do this:>it uses confidencey ratings, usually 80%+Kind of makes it look like an educated guess at best.
>>109007417I made a visual PoC>>109007404you can download, save and serve it like a site would without you knowing, then test it on any device on your LAN export the csv and come up with some fingerprinting system to compare them. Run the code through AI first to make sure its not really a backdoor or malware.
>>109007117>Last night I architected your sisterIt all makes sense now.
>>109006128>websites can rape your hard driveI sure do love webniggers.
>>109007546Just buy more RAM, bro. Just buy more SSDs, bro.
Joke is on them i have browser cache disabled.
>>109007556>just buy a new SSD for 4x the price after we rape it to death
>>109007574Cool it with the antisemitism, pal.
>>109006128>on a test MaciToddlers BTFO
>>109007646My preliminary test was on a windows system>>109007404MacOS is basically harden linux... well with additional apple spyware.
>>109007814>MacOS is basically harden linuxare you retarded?
>>109006199why are money worshippers so obsessed with money to the point of doing this nonsense, it's like measuring the heart rate of an ant to calculate the ph of the soil
>>109006128how do you use this site without javascript?how do you use ANY website these days without JS to pass the anti-bot challenges?
>>109006377>from there you would need to fingerprint various apps running on various systems, then compare users OPFS fingerprints to datasampleWhich would only work on a standardize system, like on Mac, and only to detect which big well known bloatware is running.It's an iToddler issue. There are only so many Mac configurations possible.It doesn't affect anyone else, as the data gets diluted enough.
>>109006128Interesting.But what's the point?Fingerprinting already exists. Combined with cloudflare which is nigh omni present cloudflare or anyone they share their data with can already track most sites you visit, and if the sites without cloudflare share their data with anyone then cloudflare can connect that fingerprint to you as well. And there's no good way around this because cloudflare will block you if they can't fingerprint you.
>>109008533The point is that while the Discord app collects all your running processes and uploads them and cloudflare tracks all your internet usage... potentially giving someone else access to a tiny fraction of that data with a 1 in a million chance of it even working, is a HUGE issue.You are a golem owned by kikes.Your info getting to someone else would therefor be someone stealing from kikes.
>identified websites with 89% accuracyMost people are using the same 5-6 websites every day
>>109009235I browse 194 geocities sites every day. I use Excite to search. I have a AOL email address. I use a WebTV box at 28.8kbps to browse in 640x480 over S-video to my CRT.
>>109008338Its not a MacOS thing, at all, its literally a javascript/browser thing. I made and tested the concept on a windows>>109007404that spike was from me clicking on notepad or telegram app or something.
>>109008221> how do you use this site without javascript?You can use plugins to block or use CLI browsers, but i know what you mean. Breaks functionality for nearly everything.> how do you use ANY website these days without JS to pass the anti-bot challenges?Thats the bigger issue. The other one is selective and has workarounds. This one does not have one yet. Im thinking something may need to come from a Man-in-the-Browser type of attack, except obviously not malicious to you, and you doing it on purpose. The "Man" in this theoretical MitB would also likely have to an AI.
>>109009413AI TPM? What could go wrong?
The most robust, secure and private OS ever is GrapheneOS and it's about to become a microkernel making it more better than ever.
>>109006277Brave and ungoogled-chromium developers absolutely care about browser fingerprinting, and treating it as a privacy threat is central to their development goals. The idea that they "don't care at all" is a misunderstanding, likely stemming from how vulnerability disclosure programs separate privacy bugs from security bugs.
>>109009452> AI TPMAn AI Trusted Platform Module? AI tokens per minute? Like are you referring to having one installed on your hardware? Or concerned over token usage? I was thinking of an AI in a box sort of deal, which could be opensourced. Ran on a home system, in which you configure a backdoor proxy to use it woth any device, and it could interact with the websites through a VPN client running outside the box. VPN could be any commerical one of your choice, or configured with tor or your own. If this idea would be too demanding of personal hardware, it could setup in a VPS or some cloud thing. After every use, the box gets thrown away and a new one spun up, traffic continues through the VPN location as you choose.
>>109006308This.Stallman warned us about nonfree javascript. Everyone should use hick blocking tool. Especially when ordering pizza.
>>109006128>>109009953https://nonfree.pizza/
this would be shut down IF we had "the people's lobby", but das communism, so better, all of us, very individually as you like it, bend over and take it from all their lobbies, because we don't want to be "communists". fucking retards the lot of you
>>109009952I meant trusted platform module. I'm super high rn. lol Anyway, I think that an entirely new network stack is needed if people want real anonymity. Nothing is secure.
they can't hack or anything i have norton
>>109007476>Run the code through AI first to make sure its not really a backdoor or malwareNo need. My system runs on a Full Trust Platform, FTP for short. Which means I and my computer naturally trust all code running on it.
>>109006283im not clicking on that link.
>>109006160can this be done? lets say store it on disk on close and load it from disk but i really want my whole shit in ram desu. shitux fed43
>websites have the ability to arbitrarily write whatever they want to your hard driveWho decided this was a good idea?
>>109010253Okay. I ended the share hours ago. I catboxed the better version of it ITT. Nothing runs or downloads automatically by a catbox link. You can view the code before download and paste it through AI to do a heuristic or behavior-based check of it for malware.
>>109010044
Semi interesting, the frost PoC seems to run on Safari for iPhone, but fails to work on Brave for iPhone, however Brave on windows desktop, it works, but Mullvad on windows it does not.
>>109006128Yes.https://abrahamjuliot.github.io/creepjs/
>>109010667Well its "sandbox" problem is the box is not sandboxed.
